1. Technical Field
This application relates generally to secure, cloud-based collaboration and sharing of digital data objects, such as documents.
2. Brief Description of the Related Art
An increasing number of enterprises and private individuals choose cloud-based data storage solutions instead of building their own storage systems. Outsourcing storage has several advantages, including flexibility and cost efficiency. In addition, cloud-based data storage systems provide increased dependability and easy access to the data from anywhere and at any time. That said, cloud-based data storage systems also have disadvantages. Most importantly, data owners lose the control over their data, as a cloud operator can delete the data or even deny the execution of a requested delete operation. Furthermore, there are also serious security issues in such solutions, stemming from the fact that the cloud operators have access to the data of millions of people and thousands of companies. An attacker may break into the cloud system to obtain access to the data stored there, or the cloud operator itself may be tempted to misuse its privileged position. Thus, even the exploitation of a single vulnerability may lead to the compromise of a large amount of information.
In today's cloud-based data storage systems, access control to the stored data is based on the traditional access control list approach, where a trusted reference monitor enforces the access control policy represented by the access control lists. In cloud-based data storage systems, however, the reference monitor is under the control of the cloud operator, and hence, it cannot be trusted fully. Another approach is to use cryptographic protection mechanisms and, in particular, to store only encrypted data in the cloud. This, in turn, requires appropriate key management schemes to support abstractions, such as groups and shared resources.
Digital Rights Management (DRM) refers to technologies used for the protection of digital content, typically audio or audiovisual works. DRM works by encrypting the content before distribution, and by limiting access to only those end-users who have acquired a proper license to play or render (display) the content. An end-to-end DRM system typically comprises three (3) parts: encryption, business-logic and license-delivery. DRM starts with the encryption of the content. Once the content is encrypted, a key is required to unlock the content. The encrypted content can be delivered through any number of delivery methods. An end-user who desires to play or render the content visits an e-commerce web site and transacts with the business-logic process, usually involving one of registration, login, and/or payment; once this is done, the end-user is issued a license to play the content. The issued license typically comprises (i) a key (for decrypting the content), (ii) a set of rights (e.g. play or render exactly once, play for 30 days, render, or the like), and (iii) with the property that the license is valid only on the end-user machine to which it is issued. When an end-user attempts to play or render the DRM protected content, an end user player/client application enforces the DRM.